The Medical Device Coordination Group (MDCG), an advisory body of the European Commission, has published guidance for notified bodies on the use of MDSAP audit reports in the context of surveillance audits carried out under the Medical Devices Regulation 2017/745 (MDR) and In Vitro Diagnostic medical devices Regulation 2017/746 (IVDR).

Regulatory Background 

The MDCG guidance describes the way the notified bodies (special entities designated to perform conformity assessment of medical devices) should use the audit reports from the Medical Device Single Audit Program (MDSAP) in accordance with the applicable regulations. According to the document, a medical device manufacturer that has already passed the MDSAP audit may provide the appropriate report and attachment thereto in the context of regular surveillance audit carried out under the Regulations. 

In accordance with the Regulations, conformity assessment procedures should be carried out properly before the medical device would be allowed for marketing and use in the EU. Conformity assessment usually covers the following aspects:

  • Quality management system audit, and
  • Assessment of the safety and performance of a medical device in question. 

At the same time, the audit of a quality management system to be implemented by the medical device manufacturer also fall within the scope of activity carried out by MDSAP auditing organizations. 

It is important to mention that the MDSAP structure of the organizations involved actually consists of two tiers:

  1. MDSAP auditing organizations – organizations focused on the manufacturer’s compliance with the requirements related to the quality management system and could be either an independent entity or regulating authority.
  2. MDSAP regulatory authority – a state authority or other entity responsible for the state control and supervision of the activity in the sphere of medical devices, which is also entitled to take necessary regulatory actions.

MDR/IVDR Requirements

According to the requirements set forth by the Regulations, a medical device manufacturer shall duly implement a quality management system in order to ensure that any and all medical devices comply with the applicable requirements. The manufacturer shall also document properly all related aspects to be able to provide the appropriate documentation to the regulating authorities upon request. At the same time, notified bodies designated under the MDR/IVDR are entitled to perform an audit and certification of a quality management system to be established by the manufacturer, and also to carry out the appropriate surveillance audits on a regular basis – at least once per year. Each surveillance audit should be based on the audit plan covering such aspects as objectives, criteria and scope of the audit depending on the particular medical devices in question, and the technologies and processes subject to assessment. The main goal of the surveillance audit is to assess other the quality management system has been properly implemented by the manufacturer, and whether the manufacturer sustains compliance with the applicable requirements.

Application of MDSAP Audit Reports

The MDCG emphasizes that MDSAP audit reports could be used only in a part where they cover the requirements similar or equivalent to ones set forth under the Regulations, while the notified bodies are remaining fully responsible for the final decision regarding placing the particular medical device on the EU market. At the same time, MDSAP audit reports still could be useful – for instance, if some aspects have been already covered by the report, the program of the planned surveillance audit could pay less attention to such aspects, allowing to focus on the most important points falling outside the scope of the MDSAP audit report. If the MDSAP audit report highlights certain non-conformities, the notified body will pay more attention to related aspects during the surveillance audit. 

The MDCG outlines the most important points related to the applicability of MDSAP audit reports in the context of regular surveillance audits, namely:

  • Initial quality management system audits should be performed by the notified body itself. In such cases, MDSAP audit reports are not applicable. 
  • The aforementioned audit reports are not applicable to unannounced audits too. 
  • In any case, annual surveillance audits should take place, while positive QMS conformity appraisal could be used to limit the scope of such audits. 
  • Unannounced MDSAP audits are intended to assess the actions taken by the manufacturer to correct non-conformities, so the content of such audits differs from the content of unannounced audits carried out under the Regulations. 
  • MDSAP audit reports should be taken into account entirely with all the attachments thereto. 

In case of any concerns regarding the QMS functioning based on the additional information, a complete surveillance audit should be performed. 

The MDCG also mentions that the notified bodies are allowed to develop additional guidelines describing the way MDSAP audit reports could be applied. For instance, such guidelines could outline the particular content of MDSAP audit reports to be taken into consideration. The MDCG additionally emphasizes that any and all aspects falling outside the MDSAP audit report should be covered by the surveillance audit to be performed by the notified body, which shall be fully responsible for the decision taken irrespectively of the information used.

Content of MDSAP Audit Reports

Besides the general rules prescribing the way the notified bodies should apply MDSAP audit reports, the MDCG guidance also contains the annexes providing details regarding the particular information contained in the aforementioned reports, that could be used by notified bodies in the context of regular surveillance audits. In particular, the useful (for the purpose of annual audits) information MDSAP audit reports include:

  • General information about the audited facility and MDSAP auditing organization that has performed the audit. 
  • A list of medical devices covered by the scope of the report, and certification schemes. 
  • Details about the facilities described in the report, including the connections existing between them. 
  • Additional audit objectives.
  • Description of the particular facility subject to the audit.
  • Information about critical suppliers.
  • Outcomes of previous audits.
  • Audit findings and non-conformities identified in the course of the MDSAP audit. 
  • Deviations from the initial audit plan. 
  • Details regarding non-conformities identified during the previous audits, and the actions taken by the manufacturer to correct them.  
  • Audit conclusions and statements on conformity.

Correlations with MDR Requirements

One of the most important aspects to be considered when using the MDSAP report in the context of the annual surveillance audit under the MDR relates to the correlation between the requirements the MDR sets forth to the QMS and the MDSAP Audit Model. Actually, the requirements under the MDR are wider than ones covered by the MDSAP audit report. As it was already mentioned before, the notified bodies should develop detailed guidance describing the way the requirements under the Regulations could be covered by the information contained in MDSAP audit reports. In particular, the appropriate correlations between the two frameworks should be determined. Such guidance should cover the following spheres:

  • Clinical evaluation,
  • Supplier controls, and
  • Post-market surveillance.

Summarizing the information provided here above, the MDCG guidance describes the way MDSAP audit reports could be used in the context of regular surveillance audits of manufacturing facilities to be carried out but the notified bodies in accordance with the MDR and IVDR. The document outlines the most important aspects to be considered, including the limitations of the scope and additional rules.

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.